CF-Hero: discover the real IP addresses of web applications protected by Cloudflare

CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.

Historical DNS records services try to discover all domains on the Internet and record changes in the DNS records of these domains.The best known of these services is securitytrails. If a domain is published on internet with its real IP address these service’s bot can log it’s real IP address after then if the domain is taken behind of cloudflare, the real IP addresses can find out using these services. Thus, we can find the real ip address of a domain that has broadcast over the real ip address in the past.

It uses the security trails service for historical DNS records. You can perform this scan using the -securitytrails parameter after entering the API key in the cf-hero.yaml file.

• Current DNS records (A, TXT)
• Historical DNS data analysis
• Associated domain discovery

• Active DNS enumeration
• Censys search engine
• Shodan search engine
• SecurityTrails historical records
• Related domain correlation

The tool analyzes data from these sources to identify potential origin IP addresses of Cloudflare-protected targets. It validates findings through response analysis to minimize false positives.

A simple flowchart of the tool

Features

• DNS Reconnaissance

  • Checks current DNS records (A, TXT)
  • Extracts domains behind Cloudflare
  • Extracts domains not behind Cloudflare

• Third-party Intelligence

  • Censys integration
  • Shodan integration
  • SecurityTrails integration
  • Reverse IP lookup for associated domains

• Advanced Features

  • Custom JA3 fingerprint support
  • Concurrent scanning capabilities
  • Standard input support (piping)
  • HTML title comparison for validation
  • Proxy support
  • Custom User-Agent configuration

Install & Use